auditd restart atomic?

Chris Nandor pudge at pobox.com
Tue Feb 7 20:58:33 UTC 2017 

Great, thanks Paul and Richard for the input (and we do have an 8192
backlog queue).  We won't be doing immutable rules, but we'll document that
when we change our chef recipes that update the config, that this will have
the effect of deleting rules, so some events may not be logged.

We have talked about using -e 2, but we're still working through our rules
... when we finalize them, we may go to that.

Thanks,

--Chris


On Tue, Feb 7, 2017 at 7:26 AM, Richard Guy Briggs <rgb at redhat.com> wrote:

> On 2017-02-07 10:05, Paul Moore wrote:
> > On Mon, Feb 6, 2017 at 8:12 PM, Chris Nandor <pudge at pobox.com> wrote:
> > > If I restart auditd, can it lose (not record to the logs) events that
> happen
> > > during the restart?  Or is the restart (and reload of new rules)
> essentially
> > > atomic?
> >
> > The kernel maintains a backlog queue of audit records when auditd is
> > not running and attempts to (re)send those records when auditd is
> > started.  However, the backlog queue size is fixed and it is possible
> > to overflow the queue; if that happens a message will be sent to the
> > kernel's ring buffer (dmesg).
>
> The default is 64, the value recommended in some documentation is 320,
> but values of 8k (8192) have been recommended to have enough buffer for
> events like an auditd restart.
>
> Chris, to answer the other half of your question, with respect to rules
> being reloaded atomically, it isn't.  My understanding is it starts with
> a -D to clear out all the rules and then adds rules in sequence from the
> /etc/audit/audit.rules file, so it would be possible to miss an event
> because the rule did not re-exist yet, unless you set your last rule to
> -e 2 to make the ruleset immutable, in which case the restart of auditd
> will have no effect on the existing immutable rule set.
>
> > paul moore
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170207/e9b64bf7/attachment.htm>

More information about the Linux-audit mailing list